Java-Podcast

Background

Spring Security was created to solve a very common problem for web application developers:

“How can I make sure that ONLY people who have paid/signed-up for my web application have access to my web application?”

This is what Spring Security is all about, it provides an easy way for you to “secure” the access to your Spring application.

What does that mean exactly? Well let's say for instance that you have an information product like some Java Video Tutorials, and all of your content is available via a particular URL. You want to make sure that ONLY the people who have signed up can gain access to that particular URL. This means that anybody who has NOT signed up (and logged in) that tries to access this particular URL will be redirected AWAY from that special content and instead asked to log in.

How to integrate Spring Security

The first thing you need to do is to make sure that your application already uses the Spring Framework (as that's a dependency that Spring Security has). This means that if you do NOT have a Spring enabled web application, then you won't get much mileage out of Spring Security.

If you've got a Spring enabled web application, then you're good to go for setting up Spring Security.

Step 1

You'll need to import the Spring Security library files and dependencies. As I mentioned in the podcast, I recommend using Maven for this task. Here are the dependencies that I use in my products:


  org.springframework.security
  spring-security-taglibs
  3.1.0.RELEASE


  org.springframework.security
  spring-security-core
  3.1.0.RELEASE


  org.springframework.security
  spring-security-config
  3.1.0.RELEASE


  org.springframework.security
  spring-security-web
  3.1.0.RELEASE

Step 2

The next thing you'll need to do is to modify your web.xml file. You'll need to add in a filter that will allow all the requests to be filtered through the Spring Security code. This is because Spring Security uses URLs are the basis for how it secures access to your web application. Therefore it makes sense that you'll need to make sure that Spring Security has access to all the requests that come into your web application.

Here's what you'll need to add to your web.xml file:


  springSecurityFilterChain
  org.springframework.web.filter.DelegatingFilterProxy



  springSecurityFilterChain
  /*

I usually put this stuff in just below the contextConfigLocation context parameter.

Step 3

Create a new applicationContext-security.xml file and place it in with your existing applicationContext.xml file, usually located in the root of the /WEB-INF or /resources/META-INF/spring directory.

Note: I'm lazy and just placed my Spring Security configuration info directly in my applicationContext.xml file. Best practices state that you should have a separation of these “concerns” for <sarcasm>optimal “internal happiness and self-worth”.</sarcasm>

Step 4

Populate your new applicationContext-security.xml file with your ideal security settings.

Here's an example of my set up for Java Video Tutorials (as mentioned in the podcast):


  
  
  
  
  

Note: since I have my spring security configuration setup in my existing applicationContext.xml file, I need to prefix everything with <security:, I accomplish this by adding the appropriate name space in the header of the applicationContext.xml file: xmlns:security="http://www.springframework.org/schema/security"

Summary

When looking at the specific example I posted above, you'll notice that I make reference to authentication-success-handler-ref and authentication-failure-handler-ref. I use these two handlers so that I can have custom code to access my database when people try to login. This particular setup is outside the scope of this current conversation and I'll be creating a much more complete tutorial/course on how to integrate Spring Security with access to a database for authentication in the future. As I mentioned in the podcast I'll be linking this up to The Java Spring Security Course on Udemy so that you'll have an opportunity to see exactly how to accomplish this task.

For now I just want you all to know that there's a fairly easy to use solution out there already for adding a layer of security access to your web applications, so there's no need to try and re-invent the wheel by creating your own custom solution!

Links mentioned in Podcast

Free Java Beginners Course

Start learning how to code today with our free beginners course. Learn more.